API: Finding Success from a Failure

Wednesday, November 8, 2017 @ 05:11 PM gHale

By Gregory Hale
Here is a different and interesting twist on a now well-known cyber incident that happened in the Ukraine Dec. 23, 2015.

That incident led to power outage for 220,000 people for six hours. From a risk management standpoint, it was a cybersecurity disaster where a utility lost control of its network as its coverage area plunged into darkness for six hours until workers were able to get out to substations and manually restore power to the area.

“That is a success story,” said Dale Peterson, chief executive at Digital Bond during a Tuesday presentation entitled, “It’s Not About ICS Security – It’s Business Risk and Safety” at the 12th Annual API Cybersecurity Conference in Houston, TX. “If you could have a conversation (with management) saying six hours is the most time we would have had an outage, that is a good conversation to have.”

Think about it for a moment, the attackers had to plan and coordinate an attack for months on end and they wanted the grid to go out and instead, the utility had a back up plan after the technology failed and it was to go out to the substations and manually restore power. Six hours in not a bad amount of time to be without power. The glass is half full.

In terms of security, Peterson feels we have to look at things a bit differently and also need to have new conversations about security.

He talked about the risk equation where Risk = consequence x likelihood.

“The industry focuses on likelihood, but you also have to look at consequence,” he said. “We are not talking about random attackers. They are highly motivated and can cause big consequences.”

What users have to do is identify high consequence events. One way to do that, he said is to conduct a cyber process hazard analysis (PHA).

A cyber PHA is a systemic approach aligned with standards where you could apply additional countermeasures to fix a security risk.

Vulnerability assessment starts with understanding system you are going to evaluate. A user would look at:
• Evaluation of control system design
• As built or as found drawings
• Analysis of network communications understanding what devices are talking to what devices
• Analysis of network devices
• Analysis of servers/workstations
• Analysis of ICS devices
• Partition system into zones and conduits
• Review policies and procedures
• Recommend mitigations

The methodology behind the cyber PHA gives the user a systemic approach to assess ICS cyber risk. The beauty is the cyber folks don’t have to reinvent the wheel as they can use an approach similar to a safety PHA/HAZOP.

Along with doing a cyber PHA, users need to have better conversations with executives that will also teach them more about cybersecurity and what they really should be looking for.

There is a myth out there, Peterson said, that senior management will not pay for ICS security.

“We don’t see a problem getting money, there is a problem understanding risk,” he said.

Some impediments security professionals may face include:
1. You are hiding risk from management
2. Not good at asking for money
3. You are not adapting to the risk management process
4. You are not able to explain the risk reduction achieved

Security needs a fresh positive approach and not end up in a reactionary position at all times. If they have good conversations with management and understand what their systems are capable of, security does not have to be a nightmare.

“You have to understand what the system capable of doing versus what you use it for,” Peterson said.